Skip to main content

LAMP : Apache Web Server Security Hardening




Firewall - UFW

A good place to start is to install a Firewall.
UFW - Uncomplicated Firewall is a basic firewall that works very well and easy to configure with its Firewall configuration tool - gufw, or use  Shorewall, fwbuilder, or Firestarter.
Use Firestarter GUI to configure your firewall or refer to the Ubuntu Server Guide,  UFW manual pages or the Ubuntu UFW community documentation.

Install UFW and enable, open a terminal window and enter :

:~$ sudo apt-get install ufw

Allow SSH and Http services.
:~$ sudo ufw allow ssh
:~$ sudo ufw allow http
:~$ sudo ufw allow https/tcp

Enable the firewall.
:~$ sudo ufw enable

Check the status of the firewall.
:~$ sudo ufw status verbose


SSH Hardening - key based login, disable root login and change port.


The best way to secure SSH is to use public/private key based login. See SSH/OpenSSH/Keys
If you have to use password authentication, the easiest way to secure SSH is to disable root login and change the SSH port to something different than the standard port 22.

After you install fail2ban (tutorial below), keeping track logs and you will noticed that a ton of  IP addresses are being sshd: banned (Moslty Chinese and Russian IP addresses). Most of these brute force attacks are automated and usually target the default port 22 this would further reduce the number of attacks on your ssh service.

Before disabling the root login create a new SSH user and make sure the user belongs to the admin group (see step 4. below regarding the admin group).
if you change the SSH port keep the port number below 1024 as these are priviledged ports that can only be opened by root or processes running as root.
If you change the SSH port also open the new port you have chosen on the firewall and close port 22.

Open a Terminal Window and enter :
:~$ sudo nano /etc/ssh/sshd_config

Change or add the following and save.
Port <ENTER YOUR PORT>
Protocol 2
PermitRootLogin no
DebianBanner no

Update firewall :

:~$ sudo ufw allow <ENTER YOUR PORT>/tcp


Delete Rules
Knowing how to delete firewall rules is just as important as knowing how to create them. There are two different ways specify which rules to delete: by rule number or by the actual rule (similar to how the rules were specified when they were created). We'll start with the delete by rule number method because it is easier, compared to writing the actual rules to delete, if you're new to UFW.

By Rule Number

If you're using the rule number to delete firewall rules, the first thing you'll want to do is get a list of your firewall rules. The UFW status command has an option to display numbers next to each rule, as demonstrated here:

:~$ sudo ufw status numbered

Numbered Output:
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22                         ALLOW IN    15.15.15.0/24
[ 2] 80                         ALLOW IN    Anywhere
If we decide that we want to delete rule 1, the one that allows port 22 (SSH) connections, we can specify it in a UFW delete command like this:

:~$ sudo ufw delete 1

:~$ sudo service ufw restart
:~$ sudo service ssh restart

Protect su by limiting access only to admin group

To limit the use of su by admin users only we need to create an admin group, then add users and limit the use of su to the admin group.
Add a admin group to the system and add your own admin username to the group by replacing <YOUR ADMIN USERNAME> below with your admin username.

Open a terminal window and enter:
:~$ sudo groupadd admin
:~$ sudo usermod -a -G admin <YOUR ADMIN USERNAME>
:~$ sudo dpkg-statoverride --update --add root admin 4750 /bin/su



MOD SECURITY

:~$ sudo apt-get install libapache2-modsecurity
:~$ sudo a2enmod headers
:~$ sudo a2enmod security2

apache2ctl -M | grep -i security

security2_module (shared)


MOD EVASIVE

:~$ sudo apt-get install libapache2-mod-evasive

:~$ sudo apachectl -M | grep evasive

Configure Mod_evasive
The mod_evasive module reads its configuration from “/etc/apache2/mods-enabled/evasive.conf.” You can easily customize the mod_evasive module through the “evasive.conf” configuration file. By default, mod_evasive configuration options are disabled, so you will need to enable them first. To do this, edit the “evasive.conf” file:

:~$ sudo mkdir /var/log/mod_evasive
:~$ sudo chown www-data:www-data /var/log/mod_evasive/

:~$ sudo nano /etc/apache2/mods-enabled/evasive.conf


<IfModule mod_evasive20.c>
    DOSHashTableSize    3097
    DOSPageCount        2
    DOSSiteCount        50
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10

    DOSEmailNotify      you@yourdomain.com
    #DOSSystemCommand    "su - someuser -c '/sbin/... %s ...'"
    DOSLogDir           "/var/log/mod_evasive"
</IfModule>



:~$ sudo a2enmod evasive


FAIL2BAN 

:~$ sudo apt-get install fail2ban

Since this file can be modified by package upgrades, we should not edit this file in-place, but rather copy it so that we can make our changes safely.

:~$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

:~$ sudo nano /etc/fail2ban/jail.local

Read some instruction included in the file, find and update these:

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.

ignoreip = 127.0.0.1/8 your_home_IP another_ip

destemail = youraccount@email.com
sendername = Fail2BanAlerts

# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section

action = %(action_mwl)s

[sshd]
enabled = true

[apache-auth]
enabled = true

[apache-badbots]
enabled = true

[apache-overflows]
enabled = true

[apache-nohome]



 INSTALL ZIP

:~$ sudo apt install unzip


DDOS DEFLATE

https://github.com/jgmdev/ddos-deflate

Installation

As root user execute the following commands:

:~$ wget https://github.com/jgmdev/ddos-deflate/archive/master.zip
:~$ unzip master.zip

:~$ cd ddos-deflate-master
:~$ sudo ./install.sh

Uninstallation
As root user execute the following commands:

:~$ cd ddos-deflate-master
:~$ ./uninstall.sh


Once you hava (D)Dos deflate installed proceed to modify the config files to fit your needs.

:~$ sudo nano /etc/ddos/ignore.host.list

On this file you can add a list of host names to be whitelisted, for example:

googlebot.com
my-dynamic-ip.somehost.com

:~$ sudo nano /etc/ddos/ignore.ip.list

On this file you can add a list of ip addresses to be whitelisted, for example:

12.43.63.13
129.134.131.2

:~$ sudo nano /etc/ddos/ddos.conf

The behaviour of the ddos script is modified by this configuration file. For more details see man ddos which has documentation of the different configuration options.

After you modify the config files you will need to restart the daemon. If running on systemd:

:~$ sudo systemctl restart ddos

If running as classical init.d script:

:~$ /etc/init.d/ddos restart
or
:~$ sudo service ddos restart

if you encounter this error

Job for ddos.service failed because the control process exited with error code. See "systemctl status ddos.service" and "journalctl -xe" for details.

or this

/usr/local/ddos/ddos.sh: 25: [: /etc/ddos/ddos.conf: unexpected operator
DDoS-Deflate version 0.9
Copyright (C) 2005, Zaf <zaf@vsnl.com>

$CONF not found.

To fix this open ddos.sh

:~$ sudo nano /usr/local/ddos/ddos.sh

change the first line from #!/bin/sh to #!/bin/bash


SECURE WORDPRESS PINGBACK DDOS ATTACK


:~$ sudo nano /etc/apache2/apache2.conf

Update:

<Directory /var/www/>
        Options -Indexes
        AllowOverride All
        Require all granted
        BrowserMatchNoCase WordPress wordpress_ping
        BrowserMatchNoCase Wordpress wordpress_ping
        Order Deny,Allow
        Deny from env=wordpress_ping
</Directory>

:~$ sudo service apache2 restart

SSL

:~$ sudo a2enmod ssl

Protect Your Server Against the Dirty COW Linux Vulnerability


:~$ sudo apt-get update && sudo apt-get dist-upgrade

:~$ sudo reboot

Learn more about dirty cow : https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-dirty-cow-linux-vulnerability


PREVIOUS POST :
Post a Comment

Popular posts from this blog

CakeAdminLTE is based on AdminLTE Theme for CakePHP 2.4+

CakeAdminLTE v.1.0 CakeAdminLTE is based on Twitter Bootstrap 3.0+ and AdminLTE Theme for CakePHP 2.4+


AdminLTE Dashboard and Control Panel Template  Responsive admin template Free & open source Built with Bootstrap 3 Easy to customize Quick StartDownload the .zip fileExtract the files into your CakePHP folderTo enable your theme add the following to your "app/Controller/AppController.php" class:public$theme="CakeAdminLTE"; IMPORTANT: If you would like to bake your app, please make sure you have enabled the theme before baking. DOWNLOAD: CakeAdminLTE

CakePHP: COUNT data and GROUP BY date

Goal: Count Tip Offs created per day for a month to use for graph
Problem: created field name is in datetime format: Y-m-d H:i:s
Solution: format SQL Query date: DATE_FORMAT(TipOff.created, '%Y-%m-%d')





Inside the function of controller
<?php$tipOffsMonthly=$this->TipOff->find('all', array('conditions'=>array('AND'=>array('TipOff.electric_cooperatives_id'=>AuthComponent::User('electric_cooperatives_id'), 'TipOff.created BETWEEN ? AND ?'=>array($first_day, $last_day))), 'fields'=>array("COUNT('created') as per_day", 'created'), 'group'=>array("DATE_FORMAT(TipOff.created, '%Y-%m-%d')") ));?>

CakePHP: Calling function from other controller

Import Controller of the function you want to use.

Once you imported  the controller you can call any function of this controller.

<?php//Import controller  App::import('Controller','SmsOutgoings');class ReportsController extends AppController {publicfunctionadd(){$message="Notification: New report submitted!";//Instantiation$SmsOutgoings=new SmsOutgoingsController;//Call a method from SmsOutgoingsControllerwith parameter$SmsOutgoings->notify_user($user_id,$message);}}?> Other way is by using the requestAction() function
<?phpclass ReportsController extends AppController {publicfunctionadd(){$message="Notification: New report submitted!";//Call a method from SmsOutgoingsController with parameter$this->requestAction('/sms_outgoings/notify_user',array($user_id,$message))